This is the version of smbcacls; [root@localhost ~]# smbcacls -V Version 3.0.28-0.fc7 This is the version of the operating system; [root@localhost ~]# uname -a Linux localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 i686 i386 GNU/Linux Start with a directory with no ACLs; [root@localhost ~]# smbcacls //192.168.1.65/'area 3' 'test/new' -U mygoodself%x REVISION:1 OWNER:Windows-PC\mygoodself GROUP:Windows-PC\None Apply a list of ACLs to directory using smbcacls; [root@localhost ~]# smbcacls //192.168.1.65/'area 3' 'test/new' -U mygoodself%x -a "ACL:Windows-PC\seconduser:ALLOWED/3/READ" [root@localhost ~]# smbcacls //192.168.1.65/'area 3' 'test/new' -U mygoodself%x -a "ACL:Windows-PC\mygoodself:ALLOWED/19/FULL" [root@localhost ~]# smbcacls //192.168.1.65/'area 3' 'test/new' -U mygoodself%x -a "ACL:NT AUTHORITY\Authenticated Users:ALLOWED/19/CHANGE" [root@localhost ~]# smbcacls //192.168.1.65/'area 3' 'test/new' -U mygoodself%x -a "ACL:NT AUTHORITY\SYSTEM:ALLOWED/19/FULL" [root@localhost ~]# smbcacls //192.168.1.65/'area 3' 'test/new' -U mygoodself%x -a "ACL:BUILTIN\Administrators:ALLOWED/19/FULL" [root@localhost ~]# smbcacls //192.168.1.65/'area 3' 'test/new' -U mygoodself%x -a "ACL:BUILTIN\Users:ALLOWED/19/READ" But the list is not in the order applied; [root@localhost ~]# smbcacls //192.168.1.65/'area 3' 'test/new' -U mygoodself%x REVISION:1 OWNER:Windows-PC\mygoodself GROUP:Windows-PC\None ACL:NT AUTHORITY\Authenticated Users:ALLOWED/19/CHANGE ACL:NT AUTHORITY\SYSTEM:ALLOWED/19/FULL ACL:BUILTIN\Administrators:ALLOWED/19/FULL ACL:BUILTIN\Users:ALLOWED/19/READ ACL:Windows-PC\mygoodself:ALLOWED/19/FULL ACL:Windows-PC\seconduser:ALLOWED/3/READ In windows when right clicking on the direcotry 'new' and going to properties, then the security tab, the following message is displayed; "The permissions on 'new' are incorrectly ordered, which may cause some enteries to be ineffective"
The problem is the same when adding multiple ACLs on one line. [root ~]# smbcacls //192.168.1.64/'area 3' 'test/new' -a 'ACL:Windows-PC\seconduser:ALLOWED/3/READ,ACL:Windows-PC\mygoodself:ALLOWED/19/FULL,ACL:NT AUTHORITY\Authenticated Users:ALLOWED/19/CHANGE,ACL:NT AUTHORITY\SYSTEM:ALLOWED/19/FULL,ACL:BUILTIN\Administrators:ALLOWED/19/FULL,ACL:BUILTIN\Administrators:ALLOWED/19/FULL' -Umygoodself%x [root ~]# smbcacls //192.168.1.64/'area 3' 'test/new' -Umygoodself%x REVISION:1 OWNER:Windows-PC\mygoodself GROUP:Windows-PC\None ACL:NT AUTHORITY\Authenticated Users:ALLOWED/19/CHANGE ACL:NT AUTHORITY\SYSTEM:ALLOWED/19/FULL ACL:BUILTIN\Administrators:ALLOWED/19/FULL ACL:Windows-PC\mygoodself:ALLOWED/19/FULL ACL:Windows-PC\seconduser:ALLOWED/3/READ
I don't want to make changes directly to samba, as i don't want millions of people to blame me ... however, after looking at this microsoft specification http://msdn2.microsoft.com/en-us/library/aa379298(VS.85).aspx I think the ace_compare function in smbcacls.c should be coded like this; static int ace_compare(SEC_ACE *ace1, SEC_ACE *ace2) { if (sec_ace_equal(ace1, ace2)) return 0; if (ace1->flags != ace2->flags) return ace1->flags - ace2->flags; if (ace1->type != ace2->type) return ace2->type - ace1->type; if (sid_compare(&ace1->trustee, &ace2->trustee)) return sid_compare(&ace1->trustee, &ace2->trustee); if (ace1->access_mask != ace2->access_mask) return ace1->access_mask - ace2->access_mask; if (ace1->size != ace2->size) return ace1->size - ace2->size; return memcmp(ace1, ace2, sizeof(SEC_ACE)); }
I don't think it's quite that simple. I've already been through this with libsmbclient. I _believe_ that the ace_compare() function in source/libsmb/libsmbclient.c now does this properly so could probably be used as a model. Derrell
ok thx, i'll copy and paste that directly into smbcacls.c and compile it - we are gonna do some testing so i will let you know (on this webpage) if it works ok or not.